Nokia Secure Access System v3.3 New Features Guide. Including New Features from v3.1 and v3.2

Transcription

1 Nokia Secure Access System v3.3 New Features Guide Including New Features from v3.1 and v3.2 Part No. N Rev 001 Published November 2005

2 COPYRIGHT 2005 Nokia. All rights reserved. Rights reserved under the copyright laws of the United States. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage. Nokia reserves the right to make changes without further notice to any products herein. This product includes software developed by the Apache Software Foundation ( software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software Foundation, please see < Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project ( This product includes software developed by Computing Services at Carnegie Mellon University ( computing/). This product contains ICU; International Components for Unicode library developed by International Business Machines Corporation. This product contains the SpiderMonkey (JavaScript-C) Engine from mozilla.org ( spidermonkey/) and is licensed under the Mozilla Public License. See for the latest version of the license. This product includes ssldump, developed by Eric Rescorla for RTFM, Inc. This product contains the zlib library, written by Jean-loup Gailly and Mark Adler. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes psapi.dll copyright Microsoft Corporation Please see PSAPI-LICENSE.txt in the Legal directory for license terms. This product contains software written by ImageMagick Studio LLC, a non-profit organization dedicated to making software imaging solutions freely available. Copyright ImageMagick Studio LLC. This software is based in part on the work of the Independent JPEG Group. TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders. 2 Nokia Secure Access System v3.3 New Features Guide

3 Nokia Contact Information Corporate Headquarters Web Site Telephone or Fax Mail Address Nokia Inc. 313 Fairchild Drive Mountain View, California USA Regional Contact Information Americas Nokia Inc. 313 Fairchild Drive Mountain View, CA USA Tel: Outside USA and Canada: Europe, Middle East, and Africa Nokia House, Summit Avenue Southwood, Farnborough Hampshire GU14 ONG UK Tel: UK: Tel: France: Asia-Pacific 438B Alexandra Road #07-00 Alexandra Technopark Singapore Tel: Nokia Customer Support Web Site: Americas Europe Voice: or Voice: +44 (0) Fax: Fax: +44 (0) Asia-Pacific Voice: Fax: Document History Document Part Number Publication Date N July 2005 N November Nokia Secure Access System v3.3 New Features Guide 3

4 4 Nokia Secure Access System v3.3 New Features Guide

5 Contents About This Guide Conventions This Guide Uses Notices Text Conventions Related Product Documentation New Features for Nokia Secure Access System v Supported Operating Systems System Quick Start Configuration Script Starting the System Quick Start Script Configuring a Network Interface Configuring the Gateway Domain Name Configuring DNS Servers Managing the NSAS Software Package Active Directory Authentication Through Kerberos Active Directory Authentication Through Kerberos Requirements Configuring Active Directory Authentication Through Kerberos Dynamic Application Tunneling Dynamic Application Tunneling Requirements Configuring Dynamic Application Tunneling Secure Connector Improvements Secure Connector Installer for All Platforms Secure Connector for Linux Installing Secure Connector for Linux Running Secure Connector for Linux Displaying Command Line Options Uninstalling Secure Connector for Linux Notes Secure Connector for Macintosh Installing Secure Connector for Macintosh Running Secure Connector for Macintosh Displaying Command-Line Options Uninstalling Secure Connector for Macintosh Notes Next Hop Routing Support for Secure Connector Nokia Secure Access System v3.3 New Features Guide 5

6 New Secure Connector Scan Template for Trend Micro Antivirus Login Form Prefill New Features for Nokia Secure Access System v Supported Operating Systems Authentication Method Validation Hostname Hiding Active Session Termination Report Generation End-User Portal Enhancements End-User Portal Changes Customizing the End-User Portal Managing End-User Portal Elements Customizing the Sign-on Page Customizing End-User Portal Pages High Availability Improvements Using Nokia IPSO VRRP with Nokia Secure Access System Enabling Certificate Sharing Configuring Session State Sharing Configuring the VRRP to FQDN and Certificate Table Configuring Internal Load Balancing Configuring DNS Round Robin Load Distribution Client Integrity Scan Improvements Secure Connector Improvements Secure Connector IP Assignment Improvements Multiple WINS, DNS, Domain Suffix Support End-Point Security Scanning Configuring Client Checks About Failed Client Checks Using Standard Templates Using Custom Templates Configuring a Check Group Configuring a Scan Group Configuring Scan Rules New Features for Nokia Secure Access System v ActiveX for Port Forwarding Additional Port Forwarding Enhancements Configuring Port Forwarding to Start Automatically Overriding the Autostart Configuration Settings Dual Authentication Configuring Dual Authentication Configuring the Sign-On Message Nokia Secure Access System v3.3 New Features Guide

7 Single Sign-On Enhancements Index Nokia Secure Access System v3.3 New Features Guide 7

8 8 Nokia Secure Access System v3.3 New Features Guide

9 About This Guide This document is intended for system administrators who want to learn about and configure the new features available in Nokia Secure Access System v3.3. Chapter 1 of this guide provides descriptions of and steps for configuring these new features. Chapter 2 and chapter 3 reprint the information offered in the v3.2 and v3.1 versions of this guide to provide readers with a single source of information on all changes since the Nokia Secure Access System Configuration Guide and Technology Overview were updated for Nokia Secure Access System v3.0. This preface describes:! Conventions This Guide Uses! Related Product Documentation Conventions This Guide Uses The following sections provide the document conventions including notices, menu items, and IP address notation conventions used throughout this guide. Notices Note Notes provide information of special interest or recommendations. Nokia Secure Access System v3.3 New Features Guide 9

10 Text Conventions Table 1 describes the text conventions that are used in this guide. Table 1 Text Conventions Convention Menu commands The words enter and type Description Menu commands are separated by a greater than sign (>): Choose File > Open. Enter indicates you type something and then press the Return or Enter key. Do not press the Return or Enter key when an instruction says type. Related Product Documentation The following is a list of related product information for Nokia Secure Access System.! Nokia Secure Access System Online Help! Nokia Secure Access System Getting Started Guide v3.2! Nokia Secure Access System Configuration Guide v3.0! Nokia Secure Access System User s Guide v3.2! Nokia Secure Access System Technology Overview v3.0! Nokia Secure Access System Release Notes v Nokia Secure Access System v3.3 New Features Guide

11 1 New Features for Nokia Secure Access System v3.3 This chapter describes the operating system support and requirements and describes the new features available in Nokia Secure Access System v3.3. The new features are:! System Quick Start Configuration Script! Active Directory Authentication Through Kerberos! Dynamic Application Tunneling! Secure Connector Improvements! Secure Connector for Linux! Secure Connector for Macintosh! Secure Connector Installer for All Platforms! Next Hop Routing Support for Secure Connector! Login Form Prefill Nokia Secure Access System v3.3 also contains fixes for a number of issues found in previous versions of the software. See the Nokia Secure Access System v3.3 Release Notes for a detailed description of the issues that have been resolved in this release. Supported Operating Systems The following gateway operating systems are supported for Nokia Secure Access System v3.3:! Nokia IPSO v3.8 Build 51! Nokia IPSO v3.8.1 Build 35! Nokia IPSO v3.9 Build 43 If you are running an earlier version of the Nokia IPSO operating system, you must upgrade it before you install Nokia Secure Access System v3.3. For information about how to upgrade the operating system, see the release notes for the version of Nokia IPSO to which you are upgrading. Nokia Secure Access System v3.3 New Features Guide 11

12 1 New Features for Nokia Secure Access System v3.3 Note All Nokia 50s, 60s, 100s, and 500s gateways are factory-installed with the correct version of the IPSO operating system to successfully run Nokia Secure Access System. The Nokia Secure Access System v3.3 gateway can be accessed by client systems running Microsoft Windows 98 or later, Linux, and the Macintosh OS X operating systems. System Quick Start Configuration Script Nokia Secure Access System v3.3 provides a system quick start script that allows those deploying a new gateway to use the console connection for configuration steps previously performed in Nokia Network Voyager. This script simplifies the rollout of a new appliance by allowing the administrator to perform both the initial network configuration and other Nokia IPSO configuration tasks from the console and then proceed directly to the Web-based gateway manager to complete configuration of the appliance. The new system quick start script lets you:! Configure network interfaces! Configure the gateway domain name! Configure DNS servers used by the gateway! Manage the Nokia Secure Access System software package These steps can still be performed in Nokia Network Voyager if you prefer. Starting the System Quick Start Script You start the system quick start script from the console command line after responding to initial network configuration prompts that appear the first time Nokia IPSO starts up. For more information about how to establish a console connection and how to use the initial network configuration script, see the hardware installation guide for your appliance or the release notes for the version of Nokia IPSO you are using. To start the system quick start script 1. From the console command line, enter: nsasconfig 12 Nokia Secure Access System v3.3 New Features Guide

13 System Quick Start Configuration Script The system quick start script main menu appears. Nokia Secure Access System Quick Start Script ) Configure an interface and use our Web-based Configuration via a remote browser 2) Configure Domain Name (FQDN) 3) Configure Domain Name Server 4) Manage NSAS Package s) Save and Quit q) Quit Without Saving Please enter a choice [ 1-4, s, q ]: 2. Enter the number corresponding to the item you want to configure.! Enter 1 to configure a network interface. You configure one network interface during the Nokia IPSO initial network configuration. If that is the only interface needed, you can skip this selection. Use this selection if you need to configure additional interfaces. For additional information on using the system quick start script to configure network interfaces, see Configuring a Network Interface on page 14.! Enter 2 to configure the domain name for the gateway. You configure the gateway hostname during the Nokia IPSO initial network configuration. Use this selection to configure the domain name for the gateway. For additional information on using the system quick start script to configure the gateway name, see Configuring the Gateway Domain Name on page 15.! Enter 3 to configure one or more DNS servers. Use this selection to specify one or more DNS servers to resolve hostnames. For additional information on using the system quick start script to configure DNS servers, see Configuring DNS Servers on page 16.! Enter 4 to manage the Nokia Secure Access System software package. On a new Nokia Secure Access System appliance, the Nokia Secure Access System software package is on the disk but not unpacked or activated. Use this selection to unpack and activate the package. For additional information on using the system quick start script to manage the Nokia Secure Access System software package, see Managing the NSAS Software Package on page When you have finished your configuration changes, enter s to save your changes and leave the system quick start script. The following message appears. Exiting nsasconfig: You have made important changes to the system and it is recommended to reboot the system; would you like to reboot? [ y n ]? y Nokia Secure Access System v3.3 New Features Guide 13

14 1 New Features for Nokia Secure Access System v Enter y. The following message appears. Exiting Nokia Secure Access System Quick Start Script After you have completed both the Nokia IPSO initial network configuration script and the Nokia Secure Access System system quick start script, you can use a Web browser to complete the gateway configuration. Enter the IP address or fully qualified domain name of the Nokia Secure Access System in a Web browser to display the Nokia Secure Access System portal from which you can access the gateway manager. Configuring a Network Interface You configure one network interface during the initial Nokia IPSO configuration. Use the system quick start script if you need to configure additional interfaces. For information about how to start the quick start script, see To start the system quick start script on page 12. To configure a network interface 1. Select menu option 1 from the system quick start script main menu to display the Interface Configuration menu. You are prompted to select a network interface to configure. The list of interfaces you see depends on the NICs installed. Enter the number corresponding to the interface you want to configure. Interface Configuration Select an interface from the following for configuration: 1) eth1 2) eth2 3) eth3 4) eth4 5) Quit this menu Enter choice [1-5]:4 Enter the number corresponding to the interface you want to configure. 2. You are prompted for the IP address and netmask: Enter the IP address to be used for eth4: Enter the mask length: Enter the IP address and subnetwork mask length. 14 Nokia Secure Access System v3.3 New Features Guide

15 System Quick Start Configuration Script 4. Respond to the prompts for additional information as they appear. Do you wish to set the default route [ y ]? This interface is configured as 10 mbs by default. Do you wish to configure this interface for 100 mbs [ n ]? This interface is configured as half duplex by default. Do you wish to configure this interface as full duplex [ n ]? 5. After you finish configuring the interface, you are asked to confirm the interface configuration. You have entered the following parameters for the eth4 interface: IP address: masklength: 24 Speed: 100M Duplex: half Is this information correct [ y ]? 6. Enter y to confirm the interface configuration and return to the system quick start script main menu. Configuring the Gateway Domain Name You configure the hostname for the appliance during the initial Nokia IPSO configuration. Use the system quick start script to configure the domain name for the gateway. For information about how to start the quick start script, see To start the system quick start script on page 12. To configure the fully qualified domain name of the gateway 1. Select menu option 2 from the system quick start script main menu. You are prompted to confirm that you want to configure the domain name. Do you wish to configure Domain Name? [ y n ] y 2. Enter y to continue. You are prompted for the domain name. Domain Name? mycompany.com 3. Enter the domain name for the system and press return. Only letters, numbers, dashes, and dots (.) are permitted in a domain names. You are prompted to confirm the domain name. Domainname set to "mycompany.com", OK? [y] 4. Enter the domain name for the system and press return. Only letters, numbers, dashes, and dots (.) are permitted in a domain names. You are returned to the system quick start script main menu. Nokia Secure Access System v3.3 New Features Guide 15

16 1 New Features for Nokia Secure Access System v3.3 Configuring DNS Servers Use the system quick start script to configure the DNS servers used by the gateway to resolve host names to IP addresses. For information about how to start the quick start script, see To start the system quick start script on page 12. To configure DNS servers 1. Select menu option 3 from the system quick start script main menu. You are prompted to confirm that you want to configure a DNS server. Do you wish to configure Domain Name Server? [ y n ] y 2. Enter y. You are prompted for the IP address of the primary DNS server. Please Enter Primary DNS IP Primary DNS? 3. Enter the primary DNS server IP address and press return. You are prompted to confirm the information you entered. Primary DNS set to "xxx.xxx.x.xx", OK? [y] y 4. Enter y to confirm the DNS address. The following prompt displays. set the Primary DNS to xxx.xxx.x.xx Please Enter Secondary DNS IP or <enter> for none Secondary DNS? 5. Press enter to return to the system quick start script main menu or enter the secondary DNS and repeat step 3 and step 4. You can add up to three DNS servers. Managing the NSAS Software Package On a new Nokia Secure Access System appliance, the Nokia Secure Access System software package is on the disk but not unpacked or activated. Use the system quick start script to unpack and activated the package. After the initial setup, the system quick start script can be used to copy software packages to the appliance from a CD or FTP site to update the gateway. For information about how to start the quick start script, see To start the system quick start script on page 12. To manage the NSAS software package 1. Select menu option 4 from the system quick start script main menu. You are prompted to confirm that you want to manage the Nokia Secure Access System software package. Do you wish to Enable, Install, Upgrade NSAS? [ y n ] 16 Nokia Secure Access System v3.3 New Features Guide

17 System Quick Start Configuration Script 2. Enter y to display the Manage NSAS Package menu. Manage NSAS Package ) Install/Upgrade NSAS 2) Initialize NSAS 3) Enable NSAS 4) Quit this menu Please enter a choice [ 1-4 ]: 3. Enter 1 to install the package. You are prompted to confirm that you want to install Nokia Secure Access System and to save your changes. Do you wish to Install/Upgrade NSAS? [ y n ] y Would you like to save any changes made so far? [ y n ] 4. You are prompted for the location of the package. Load new package from: 1. Install from CD-ROM 2. Install from anonymous FTP server. 3. Install from FTP server with user and password. 4. Install from local file system. 5. Exit new package installation. Choose an installation method (1-4): 1 5. Enter 4 to install the package provided with the appliance. You are prompted for the package location. Enter pathname to the packages [ or 'exit' to exit ]: /opt/packages 6. Enter /opt/packages and the script displays the first packages encountered in the specified location. Package Description: Nokia Secure Access System v3.3.0 Build Would you like to: 1. Install this as a new package 2. Skip this package 3. Exit new package installation Choose (1-3): 1 7. If the displayed package name in not one you want to install, enter 2. Otherwise, enter 1 to install the package. After a series of installation messages you are returned to the Manage NSAS Package menu. 8. Enter 2 to initialize Nokia Secure Access System and confirm the initialization when prompted to do so. You are returned to the Manage NSAS Package menu. Nokia Secure Access System v3.3 New Features Guide 17

18 1 New Features for Nokia Secure Access System v Enter 3 to enable Nokia Secure Access System and confirm this action when prompted. You are returned to Manage NSAS Package menu. 10. Enter 4 to quit the Manage NSAS Package menu then q to leave the system quick start script. You can now use the gateway manager to configure the Nokia Secure Access System software. Active Directory Authentication Through Kerberos Nokia Secure Access System v3.3 now uses Kerberos version 5 as the default protocol to authenticate users logging in to the gateway with an Active Directory authentication method. In previous versions Active Directory authentication methods used the LDAP protocol. Note Active Directory authentication through LDAP has been renamed to LDAP-based Active Directory. Active Directory authentication methods defined with previous versions of Nokia Secure Access System are maintained unaltered as LDAP-based Active Directory methods when you upgrade to version 3.3. If you want to use authentication through Kerberos, define a new Active Directory authentication method. Kerberos provides a trusted third party authentication protocol with mutual authentication and key exchange, plus symmetric shared key cryptography. The Kerberos v5 protocol became the default authentication package for Microsoft Windows with Windows The Windows 2000 domain controller consists of three key components:! Kerberos Key Distribution Center (KDC) The KDC is integrated into the domain controller and provides authentication (ticket granting) services. Communication with the KDC uses the Kerberos v5 protocol.! Active Directory Services (ADS) The ADS security account database (user accounts) is also integrated into the domain controller. Clients query ADS for user account related information such as password expiration, group membership, and other attributes. Communication with the ADS service uses LDAP v3.! DNS Server The DNS server may or may not be installed on the same server as the domain controller. The DNS server provides name resolution services. Nokia Secure Access System v3.3 allows authentication of user domain credentials against a Windows ADS domain controller using Kerberos v5. As with the other Nokia Secure Access System authentication methods, Active Directory authentication is limited to authenticating a user logging in to the gateway against a security database. This should not be confused with Authorization. Authentication only verifies who the user says they are. It does not determine which files and other objects they can access. Authorization decisions are left to the access control mechanism used by back end systems. 18 Nokia Secure Access System v3.3 New Features Guide

19 Active Directory Authentication Through Kerberos Active Directory Authentication Through Kerberos Requirements The following infrastructure is required to authenticate Nokia Secure Access System users with Active Directory through Kerberos:! An Active Directory Services Domain An Active Directory server, that maintains a database with account information for all security principals (like user accounts) in its realm. The Nokia Secure Access System Active Directory authentication method requires a domain name to locate the corresponding Active Directory server, KDC service, and ADS service host address. The Nokia Secure Access System Active Directory authentication method also requires that the user password be defined in the security database even though this may not be required when the account is created. In other words, you cannot force password definition the first time the user attempts to authenticate through Nokia Secure Access System or allow null passwords.! DNS Service Location (SRV) Records DNS SRV records specify hosts that offer specific services such as Active Directory servers. The DNS servers used by a Nokia Secure Access System Active Directory authentication method must provide SRV resource records for the Kerberos key distribution center and the Active Directory security account database. For example: godzilla.myco.com A _kerberos._tcp.dc._msdcs.myco.com SRV godzilla.mycompany.com _ldap._tcp.dc._msdcs.myco.com SRV godzilla.mycompany.com _kerberos._tcp.myco.com SRV godzilla.mycompany.com _ldap._tcp.myco.com SRV godzilla.mycompany.com By default Windows 2000/2003 adds the SRV records to the DNS when a domain is created. For other DNS servers, the administrator may have to create these records manually.! Network connectivity For Kerberos authentication to occur, there must be TCP/IP network connectivity between the client, the Active Directory server, and the DNS servers. The default KDC service ports are TCP/88 and UDP/88. For ADS, communication on the LDAP port (389) is required. Traffic on these ports (those configured in the SRV records) must be allowed through any firewalls between the gateway and the domain server services. You will also need to connect on port 3268 for access to the global catalog. The global catalog must have SRV records of _gc._tcp.myco.com and _gc._tcp.dc._msdcs.myco.com.! Time Service For Kerberos authentication to function properly, the time on the Nokia Secure Access System gateway and the time on the Active Directory server must be synchronized. By default the Active Directory server has a built-in mechanism to keep the time synchronized in its entire domain using the NTP protocol. Nokia IPSO also supports NTP to synchronize the system clock with an external source. Nokia Secure Access System v3.3 New Features Guide 19

20 1 New Features for Nokia Secure Access System v3.3 Configuring Active Directory Authentication Through Kerberos To configure Active Directory Authentication Through Kerberos 1. From the Nokia Secure Access System configuration menu, choose User Configuration > Authentication to display the Manage Authentication Methods page. 2. Select ActiveDirectory from the New Authentication Method of Type drop-down list to create the new authentication method. 3. The Properties for new ActiveDirectory Authentication Method page appears. 4. Scroll down to the Identification section. Enter a name and description for the new method. 5. Scroll down to the Server Properties section: a. Enter the name of the Active Directory domain against which users will be authenticated. The gateway uses the DNS locator service to identify the Active Directory server that services the specified domain. b. In the Restrict Access to Domains section, specify how the login name the user provides (user@domain) is handled if there is no match for the identity in the specified domain. 20 Nokia Secure Access System v3.3 New Features Guide

21 Active Directory Authentication Through Kerberos! Click the top radio button to allow authentication of users that are members of any domain trusted by the specified domain.! Click the middle radio button to limit users authenticating by using this method to those that are members of a specified domain.! Click the bottom radio button to allow users of the specified domain or any of its subdomains to authenticate by using this method. Note A user can authenticate by entering their full address, for example user@corp.com. If the Active Directory Server is configured appropriately, the NSAS gateway can be configured to authenticate (or not authenticate) users in subdomains (for example, user@example.corp.com). See the Nokia Secure Access System Configuration Guide for more information. If authentication using the current method fails, Nokia Secure Access System attempts to authenticate the supplied identity using any other enabled authentication methods. See the Nokia Secure Access System Configuration Guide for details. c. Optionally, change the default time-out for authentication requests. d. Optionally, specify a character encoding for credentials passed to the gateway. 6. Scroll down to the Additional Certificate Authentication section. By default, users of this authentication method that are authenticated through the specified Active Directory server are allowed access to the portal. You can, however, specify an additional method of authentication using one of the certificate based authentication methods defined on the gateway. To do so: a. Click the Enable Additional Certificate Authentication Using PKI Authentication Method checkbox. b. Select the PKI method to use from the drop-down list. Use the radio buttons located below the authentication method drop-down list to specify whether the certificate is required to authenticate or optional.! If certificate authentication is required, users must successfully authenticate with both an Active Directory username/password and the specified PKI certificate authentication method. Nokia Secure Access System v3.3 New Features Guide 21

22 1 New Features for Nokia Secure Access System v3.3! If certificate authentication is optional, the administrator can use groups to provide more or different access to users that succeeded in authenticating with a certificate from those that did not. 7. Scroll down to the Logging section and check the box to enable logging for this method. Note Debug logging generates a large volume of log data and can adversely affect gateway performance. Nokia recommends that you only enable this feature when you are troubleshooting specific problems. 8. Scroll to the bottom of the page and click Save Settings. 9. Click the Group Retrieval tab to display the Group Retrieval page. a. In the Static User Group Membership section, click Edit List and select groups defined on the gateway to which you want all users logging in with this method assigned. b. In the Dynamic User Group Membership Retrieval section, use the radio buttons to specify whether you want to retrieve users Active Directory group information when they authenticate. To apply the retrieved group information, you must create a group with an identical name on the gateway and use that group to control access. All users that belong to the Active Directory group with that name are automatically assigned to the corresponding group on the gateway when they log in. 22 Nokia Secure Access System v3.3 New Features Guide

23 Dynamic Application Tunneling If you are retrieving Active Directory group information, you can optionally specify that nested group information also be returned by checking the Search for Nested Groups checkbox. When checked, the Active Directory authentication method retrieves up to 20 levels of nested group information. 10. Scroll to the bottom of the screen and click Save Settings. Dynamic Application Tunneling Nokia Secure Access System v3.3 provides a new feature that allows client applications to dynamically establish tunnels through the gateway to resources on a protected network. This new functionality, called dynamic application tunneling (DAT), provides functionality similar to port forwarding but is more easily configured and is more flexible. Like port-forwarding resources, dynamic application tunneling resources forward TCP connections from a client to a server inside the firewall on the enterprise network.! A port-forwarding client provides a passive local proxy for specific servers and port numbers defined by the administrator.! A dynamic application tunneling client opens connections as they are requested by the application. This means it is not necessary for the administrator to specify all the local and remote IP addresses and ports used by the application. In addition, dynamic application tunneling does not require modification of the hosts file on the client system. This means the client does not need to run at a privilege level necessary to modify the hosts file and that the hosts file cannot be left in an inconsistent state by an abnormal port event. Note Dynamic Application tunneling is only available for Windows ActiveX clients. UDP forwarding is not supported. Note Although dynamic application tunneling can be used for any TCP port forwarding application only Microsoft Outlook, Microsoft Terminal Services client, Lotus Notes client, Citrix client, and Oracle Jinitiator client have been verified for the initial release. When a user selects a dynamically tunneled application from the portal:! The gateway asks the DAT client to launch the application using the information configured when the dynamically tunneled application was defined.! After the application launches, the DAT client listens for host name and connection requests from the application.! When a host name request is detected, the DAT client checks to if the requested domain is configured to be resolved through the gateway. If so, the DNS query is sent to the gateway for resolution. Otherwise, the request is resolved normally by the client system. Nokia Secure Access System v3.3 New Features Guide 23

24 1 New Features for Nokia Secure Access System v3.3! When a TCP connect request is detected, the DAT client checks if the requested destination is configured to be tunneled through the gateway. If so, the DAT client sets up a local loopback listen socket for the connection, and requests the gateway to open a port forwarding channel to the remote IP address and port number. Otherwise the TCP connection request is handled normally by the client system. From this point on, the connection behaves the same as a static port-forwarding connection and the gateway forwards data between the resource on the protected network and the DAT client. Note Dynamically tunneled applications must be launched from the portal by clicking a portal link to establish communication through the gateway. Dynamic Application Tunneling Requirements To configure a dynamically tunneled application, you need to:! Name and identify the application.! Provide the information needed to launch the application on the client. In addition, you must define the settings used by all dynamically tunneled applications if you want to restrict subnets accessed and DNS requests resolved through the gateway. For information about how to configure dynamic application settings, see To configure dynamic application settings on page 27. Configuring Dynamic Application Tunneling To define a dynamically tunneled application 1. From the Resources menu choose Application to display the Manage Applications page. 24 Nokia Secure Access System v3.3 New Features Guide

25 Dynamic Application Tunneling 2. Click New Application to display the properties page for a new dynamic application. 3. Scroll down to the Identification section. 4. Enter the following information:! The Application Name to display on the Manage Applications page.! The Description to display on the Manage Applications page.! The Portal Link Text to display in the user portal. 5. Scroll down to the Application Location & Argument Configuration section and enter the information needed to launch the application on the client system. Several options are available for specifying the required information. Data entry fields for each option appear only when the option is enabled.! You must specify the name of a file to launch the application.! If the executable file is located in a directory contained in the PATH variable on the client machine, you can enter the name of the command file alone in the Path text box. For example, outlook.exe.! You can also enter a fully qualified path to the file. For example, C:\Program Files\Microsoft Office\OFFICE11\outlook.exe.! You can enter the file name in the Path text box and use the Folder option to specify the file location. Nokia Secure Access System v3.3 New Features Guide 25

26 1 New Features for Nokia Secure Access System v3.3! You can click the Registry radio button and specify a registry key that is either sufficient to launch the application or to use in conjunction with a folder specification.! If the information specified in the File section is not sufficient alone to launch the application, check the Folder checkbox and use this section to indicate the location of the file specified in the File section.! Click Path to specify the location of the command by typing the fully qualified path to the folder containing the command.! Click CSIDL to select a Windows CSIDL that indicates the location of the command from the dropdown list. CSIDL values provide a system-independent way to identify special Windows folders.! Click Registry to specify a Windows registry entry that indicates the location of the file. The information specified in the File section is appended to the information in the Folder section to create the full location of the command on the client.! If the specified command requires additional command line arguments to successfully execute on the client system, click the arguments checkbox and enter the necessary arguments in the text box. The information specified in the Arguments section is appended to the information in the Folder and File sections to create the command passed to the client. 6. If different command definitions are needed on different client machines, click Add Additional Locations and specify another possible location for the command, as described in step In the Logging section, you can optionally enable logging for this application. Note Debug logging generates a large volume of log data and can adversely affect gateway performance. Nokia recommends that you only enable this feature when you are troubleshooting specific problems. If you have not already done so, configure the dynamic application settings that apply to all dynamically tunneled applications. 26 Nokia Secure Access System v3.3 New Features Guide

27 Secure Connector Improvements To configure dynamic application settings 1. From the Resources menu choose Application. 2. Click the Settings tab to display the Application Settings page. 3. In the Domains field, enter a comma separated list of the host names you want resolved by DNS servers on the protected network. Generally, this will include any internal domains that cannot be resolved by public DNS servers. Enter an asterisk (*) or leave blank to resolve all hostnames through the DNS servers on the protected network. You can also use the asterisk wild card to specify domains. For example, *.mycompany.com or mycompany.*.com. 4. In the subnets field, enter a comma separated list of the subnets for which you want to tunnel traffic back to the internal network through the gateway. Specify the subnets with CIDR subnet/masklength notation. For example, /24. Generally, you include all internal networks. Enter an asterisk (*) or leave blank to tunnel all traffic through the gateway. 5. Scroll to the bottom of the page and click Save Settings. Secure Connector Improvements Nokia Secure Access System v3.3 provides several new Secure Connect features including new clients for Linux and Macintosh users. Both the Linux and Macintosh clients run as command line utilities on their respective client platforms. This section describes these new features, and includes:! Secure Connector Installer for All Platforms! Secure Connector for Linux! Secure Connector for Macintosh! Next Hop Routing Support for Secure Connector Nokia Secure Access System v3.3 New Features Guide 27

28 1 New Features for Nokia Secure Access System v3.3 Secure Connector Installer for All Platforms Nokia Secure Access System v3.3 provides an updated Secure Connector installer that allows users to choose which Secure Connector client (Windows, Linux, or Macintosh) they want to download to their system. This features allows Linux and Macintosh users to download the Secure Connector installer for their platforms the same way Windows users do. All three installer packages are stored in the gateway in the same directory: /opt/nsas-<version>/apache/storage/vpn You can limit the installers available for download through the Secure Connector installer resource by renaming or removing one or more of the installer packages. You can control access to the installer resource itself through standard access control methods. For information on controlling access to the Secure Connector installer resource, see the Nokia Secure Access System Configuration Guide. To install Nokia Secure Connector 1. Sign in to the Nokia Secure Access System portal. 2. Click the Web tab to display Web resources. Note The Web tab is the default location for the installer. The installer may appear on a different tab in customized portals. 3. Click the Secure Connector Installer Download link to display the Secure Connector download page. 4. Choose the target platform (Windows, Linux, or Macintosh) from the drop-down list. 5. Click Download to initiate the installer download. 6. Use the dialog box that pops up to indicate where you want to save the installer file. After the download completes, see the instructions for the version of Secure Connector you are using for installation instructions. 28 Nokia Secure Access System v3.3 New Features Guide

29 Secure Connector Improvements Secure Connector for Linux This section describes Secure Connector for Linux, and includes:! Installing Secure Connector for Linux! Running Secure Connector for Linux! Displaying Command Line Options! Uninstalling Secure Connector for Linux! Notes Installing Secure Connector for Linux Note You need root access to install Secure Connector for Linux. Use either the su or sudo command to become root user. Note In the installation instructions, an asterisk (*) is a placeholder for the version number of the tar.gz file you download. To install Secure Connector for Linux 1. Download the Secure Connector for Linux client from the portal. For details, see To install Nokia Secure Connector on page Change directories to a temporary location like /tmp and use the following command to unpack the tar.gz file: tar xvfz NokiaSecureConnector_3_3_0*tar.gz 3. Run the following installation script:./nokiasecureconnector_3_3_0*/secure-connector-linux-installer 4. The License Agreement appears. The installer asks: Do you agree to the above license terms? [yes or no] 5. Select yes. The following message and question appear: Installing secure-connector command-line application...done. Loading kernel module...done. By default, Secure Connector must run as the 'root' user. Do you wish to enable non-root users to run Secure Connector? Nokia Secure Access System v3.3 New Features Guide 29

30 1 New Features for Nokia Secure Access System v3.3 This will run the command: chmod 4755 /usr/local/nokia/secureconnector/sbin/secure-connector [yes or no] Secure Connector requires root privileges during the installation to open the /dev/tun0 device. Root privileges are also needed at run time to modify the /etc/resolv.conf file and to manipulate the routing table.! If you choose yes, the chmod command enables Secure Connector to run with root privileges even when started by a non-root user.! If you choose no, only users with root privileges will be able to use Secure Connector. 6. Select yes or no. If you select yes, the following message appears: Secure-connector can now be run by non-root users. Installation Complete. To run Secure Connector: /usr/local/nokia/secureconnector/sbin/secure-connector Run Secure Connector with no options to display the help screen. The installation is now complete and you can use Secure Connector to connect to the Nokia Secure Access System gateway. Running Secure Connector for Linux To run Secure Connector for Linux 1. Open a terminal window and run the following command: /usr/local/nokia/secureconnector/sbin/secure-connector -host <gateway FQDN or IP address> Note The -host argument is required. The connection is initiated. 2. Enter the username and password. You are authenticated. The following message appears: CONNECTED <ip address of SC Client> <gateway IP address> <netmask> Press <return> to shutdown For example: CONNECTED Press <return> to shutdown When the client connects, your resolv.conf file is modified to match the Secure Connector DNS settings from the gateway. 30 Nokia Secure Access System v3.3 New Features Guide

31 Secure Connector Improvements Your routing table is also modified. If split tunneling is configured, specific network routes are configured for their next hop to be the tun device. If you do not have split tunneling configured, your default route is set to the tun device. Note The client must be up and running for traffic to pass through Secure Connector. 3. In the terminal window, press Return once to exit the client. When the client exits, it removes any changes made to the resolv.conf file and the routing table. Note Secure Connector requires the tun kernel module to be loaded. The installer does this, but it is not persistent through reboot. To ensure that the tun kernel module is loaded, become root and run the following command: /sbin/modprobe tun Displaying Command Line Options For a list of optional command line arguments, run the Secure Connector command without any arguments: /usr/local/nokia/secureconnector/sbin/secure-connector Uninstalling Secure Connector for Linux To uninstall Secure Connector for Linux, become root and run the following command: rm -rf /usr/local/nokia/secureconnector/sbin/secure-connector Notes! When using Redhat Enterprise Linux, you need to add the package kernel-unsupported- <kernel version>.rpm files to enable tun device support. Do this before attempting to use Secure Connector.! The following settings on the Secure Connector page of the Nokia Secure Access System administrator user interface apply only to the Windows client:! Client Firewall! Portal Page Display! Encrypted File Store! Proxy Autoconf Nokia Secure Access System v3.3 New Features Guide 31

32 1 New Features for Nokia Secure Access System v3.3! Homepage URL! Desktop Color! WINS These settings have no effect on the Linux client.! The Error Messages tab is not used by the Linux client.! End-Point-Security Scanning rules are not supported in this release.! Secure Connector for Linux may modify /etc/resolv.conf. If the product terminates unexpectedly, the changes may not be undone. You can restore the resolv.conf file manually by editing it as follows: a. Remove ; [ moss] from the start of any lines. b. Delete all other lines where [moss] appears. Secure Connector for Macintosh This section describes the Secure Connector for Macintosh, and includes:! Installing Secure Connector for Macintosh! Running Secure Connector for Macintosh! Displaying Command-Line Options! Uninstalling Secure Connector for Macintosh! Notes Installing Secure Connector for Macintosh Note You need administrator privileges to install Secure Connector for Macintosh. If you are not logged in as an administrator, a dialog box prompts you to enter the name and password of a user with administrator privileges. To install Secure Connector for Macintosh 1. Download the Secure Connector for Macintosh client from the portal. For details, see To install Nokia Secure Connector on page Double-click the downloaded kit to decompress it and create the NokiaSecureConnector.mpkg installation application. 3. Double-click NokiaSecureConnector.mpkg to run the installer. 4. Follow the directions in the installer program to complete the installation. 32 Nokia Secure Access System v3.3 New Features Guide

33 Secure Connector Improvements Running Secure Connector for Macintosh After installation, any user can run the Secure Connector application which is in the Applications Folder. To connect through Secure Connector for Macintosh 1. In the applications folder, click SecureConnector. 2. Click the Settings button. 3. On the Account tab, enter your Username and Password. 4. On the Gateway tab, select the gateway FQDN or IP address from the Host dropdown list and specify the port (443 by default) to use. Nokia Secure Access System v3.3 New Features Guide 33

34 1 New Features for Nokia Secure Access System v Click Sign On to establish a connection with the gateway. Displaying Command-Line Options A command line client is also available. To connect through the command line 1. Run the following command /usr/local/nokia/bin/secure-connector -host <FQDN or IP of gateway> To see a list of command-line options, run the following command without any arguments: /usr/nokia/bin/secure-connector The following output appears: Usage: secure-connector <options> Mandatory parameters: -host <IP address> The IP address of the NSAS gateway Optional parameters: -port <port> The SSL port of the Nokia Secure Access System gateway (default: 443) -user <username> The username to log in as -pass <password> The password to log in with (REQUIRED with -user) -dev <device> The tunnel device to use (e.g. tun0) -addroute <address> Add a host route to IP <address> -noroutes Do not configure routes specified by the gateway -nodns Do not modify DNS settings -nohostroute Do not add a 'safety' host route to the Nokia Secure Access System gateway -noifconfig Do not configure any network settings at all -notimeout Do not set the inactivity timer -version Print the version information and exit 34 Nokia Secure Access System v3.3 New Features Guide

35 Secure Connector Improvements Uninstalling Secure Connector for Macintosh To uninstall Secure Connector for Macintosh! Open a terminal window and run the following command: /Applications/SecureConnector.app/Contents/Resources/uninstall Notes! You cannot add manual routes from the GUI. Making changes on the Routing page of Secure Connector Settings is not currently supported. (PR 51576)! Manually configuring a DNS server in the GUI does not work. Making changes on the DNS page of Secure Connector Settings is not currently supported. (PR 51637)! The following settings on the Secure Connector page of the Nokia Secure Access System admin UI apply only to Windows clients:! Client Firewall! Portal Page Display! Encrypted File Store! Proxy Autoconf! Homepage URL! Desktop Color! WINS These settings have no effect on the Macintosh client.! The Error Messages tab is not used by the Macintosh client.! End-Point-Security scanning rules are not supported in this release. Next Hop Routing Support for Secure Connector Nokia Secure Access System v3.3 provides a new configuration setting for Secure Connector that allows an administrator to specify the route for Secure Connector traffic from the gateway to protected networks. This setting can be used on gateways with multiple interfaces to force Secure Connector traffic to a firewall or a router with different routing policies. For example, this might be used if clients send all packets (including those bound for the Internet) through the tunnel. Nokia Secure Access System v3.3 New Features Guide 35

36 1 New Features for Nokia Secure Access System v3.3 To set the next hop route for Secure Connector 1. From the Nokia Secure Access System configuration menu, choose Global Properties > Secure Connector to display the Secure Connector Configuration page. 2. Scroll down to the Interface and IP Subnet Settings section. 3. Enter the IP address of the next hop router in the space provided. This must be an address on the same subnet as the back end interface. 4. Scroll to the bottom of the page and click Save Settings. New Secure Connector Scan Template for Trend Micro Antivirus Nokia Secure Access System v3.3 provides a new Secure Connector Scan client check template for Trend Micro v5.x antivirus software. This new templates allows administrators to check for active Trend Micro PC-cillan v5.5 antivirus solutions without creating a custom template. For more information about how to use a Secure Connector Scan standard template, see Using Standard Templates on page 75. Login Form Prefill Nokia Secure Access System v3.3 provides a new login form prefill feature to store information from HTML login forms for gateway users. Most browsers support form prefill by caching information on the local machine, but this feature is not useful for mobile users on borrowed machines who do not want to leave login information on borrowed machines. Nokia Secure Access System form prefill solves this problem by storing login form data on the gateway and filling out the forms as they pass through. This way users regain the convenience of login form prefill for pages served through Nokia Secure Access System without the risk of leaving sensitive information on borrowed equipment. Note This features provides form prefill for login forms only. The more general form prefill and form autocomplete technologies supported by some browsers and Web-based applications are not currently supported by Nokia Secure Access System. Users and groups using login form prefill must have the persistent credentials enabled. 36 Nokia Secure Access System v3.3 New Features Guide

37 Login Form Prefill When form prefill is enabled, Nokia Secure Access System inspects all forms served to users to detect login forms.! If a login form has no stored data, the login values entered by the user are stored and the next time they connect the login form is prefilled with their login information.! If a user enters different login information than that supplied by prefill the new information replaces the old information stored for the form.! If pass-through credentials are enabled for a resource and no login information is stored for the form, the default pass-through credentials are prefilled on the form. If the user supplies different credentials, those will be used to prefill the form next time.! Stored login information is erased along with other user-specific information when a user selects the Clear Persistent Values option on their portal preferences page. Note This feature resolves issues using the Citrix single sign-on feature that users experienced in previous releases of Nokia Secure Access System, but this functionality is not limited to Citrix users. The new login form prefill feature works for most HTML login forms. To enable signon form prefill 1. Make sure the persistent credentials are enabled for the users and groups using login form prefill at User Configuration > User Groups > Manage User Groups > groupname > Session. 2. From the Nokia Secure Access System configuration menu, choose Global Properties > Access Control. 3. Click the Settings tab to open the Configure Access Control page. 4. Scroll down to the HTML Form Prefill section. 5. Check Enable Form Prefill. 6. Check the boxes for the form prefill options you want to enable.! Allow Form Prefill to Use Pass-through Credentials for Configured Resources Use this option to prefill login forms with the user s pass-through credentials if there is no value stored for a form for a resource with pass-through credentials enabled. Nokia Secure Access System v3.3 New Features Guide 37

38 1 New Features for Nokia Secure Access System v3.3! Ignore Autocomplete=Off Flags on Backend Web Site Use this option to prefill login forms even if autocomplete is disabled in the form received by the gateway from the backend server.! Replace Form Contents Even if the Backend Web Server Has Inserted Values Use this option to prefill forms with the values stored on the gateway even if other values have been supplied by the backend server. 7. Scroll to the bottom of the page and click Save Settings. 38 Nokia Secure Access System v3.3 New Features Guide

39 2 New Features for Nokia Secure Access System v3.2 This chapter describes the operating system requirements and new features available with the Nokia Secure Access System v3.2 release. The new features are:! Authentication Method Validation! Hostname Hiding! Active Session Termination! Report Generation! End-User Portal Enhancements! High Availability Improvements! Client Integrity Scan Improvements! Secure Connector Improvements! End-Point Security Scanning Supported Operating Systems Nokia Secure Access System supports Nokia IPSO v3.7 FCSx and later. If you are running an earlier version of the Nokia IPSO operating system, upgrade it before you install Nokia Secure Access System. For information about how to upgrade the operating system, see the release notes for the version of Nokia IPSO to which you are upgrading. The following client operating systems are supported for Nokia Secure Access System v3.2:! Windows 98! Windows ME! Windows NT 4.0! Windows 2000 with SP 4! Windows XP SP1 with Hot fix, Windows XP SP2 and Hot fix! Windows Server 2000! Windows Server 2003! Linux RedHat 9.x, RedHat Enterprise Linux Nokia Secure Access System v3.3 New Features Guide 39

40 2 New Features for Nokia Secure Access System v3.2 Note All Nokia 50s, 60s, 100s and 500s gateways are factory-installed with the correct version of the operating system to successfully run Nokia Secure Access System v3.2 and v3.1. Authentication Method Validation In previous versions of Nokia Secure Access System, the only way to test a newly configured authentication method was to attempt to log in to the gateway using the new authentication method. Nokia Secure Access System v3.2 provides a test button for each authentication method to make testing new authentication methods easier and quicker. To test an authentication method 1. From the Nokia Secure Access System configuration menu, choose User Configuration > Authentication to open the Manage Authentication Methods page. 2. Select the name of the authentication method you want to test. The Properties for Authentication Method: methodname page opens. 3. Scroll to the bottom of the page and click the Test button to initiate the test. The Authentication Method Testing page opens. 40 Nokia Secure Access System v3.3 New Features Guide

41 Hostname Hiding 4. Enter the user name and password of the user you want to test, then click Continue. The test results are shown on the Test Authentication Method page.! Log Message contains the full text of the log message generated by the request.! Status shows the test result.! Import Variable shows any user variables retrieved by the test.! Import Group shows any group information retrieved by the test.! Close Window click to close the test window.! View Debug Messages click to display any debug messages generated by the test. Hostname Hiding In previous versions of Nokia Secure Access System the names of internal hosts were shown in plain text in the URLs visible to end users when accessing Web resources. Nokia Secure Access System v3.2 allows you to obscure internal host names used in browser URLs to prevent this information from being viewed by onlookers in public places. You can obscure host names in all URLs displayed to end users or just the host names in particular resources. To hide internal host names in all Web resource URLs 1. From the Nokia Secure Access System configuration menu, choose Global Properties > Access Control. 2. Click on the Settings tab to open the Configure Access Control page. Nokia Secure Access System v3.3 New Features Guide 41

42 2 New Features for Nokia Secure Access System v Scroll down until the Hostname Hiding on Client Browser checkbox is visible. 4. Check the box. 5. Scroll to the bottom of the page and click Save Settings. To hide the internal host name for a specific Web resource 1. From the Nokia Secure Access System configuration menu, choose Resources > Web to open the Manage Web Resources page. 2. Click the name of the Web resource you want to modify to open the properties page for that resource. 3. Scroll down until the Hide Hostname on Client Browser checkbox is visible. 4. Check the box. 5. Scroll to the bottom of the page and click Save Settings. 42 Nokia Secure Access System v3.3 New Features Guide

43 Active Session Termination Active Session Termination Nokia Secure Access System v3.2 allows you to view a list of the currently active sessions and provides an option to disconnect any Web, port-forwarding, or Secure Connector session in realtime. To disconnect an active session 1. From the Nokia Secure Access System configuration menu, choose General > Monitor to open the Active Sessions page. The list shows all active portal, Secure Connector, and port-forwarding sessions. Note The list does not automatically refresh. To update the list, click the refresh button on your browser or the Monitor link on the menu bar. 2. Scroll down the list to display the session you are looking for, or use the Show Only Users Matching text box to filter the list. You can enter a complete user name, a single letter, or a partial name with an asterisk (*) for wildcard matches. 3. Click Disconnect. Report Generation The new report generation feature of Nokia Secure Access System v3.2 provides the ability to view a detailed snapshot of gateway usage. You can configure these reports to span a period of up to seven days or any span of hours per day. You can view report results in HTML or graphical format. You can also export the data to an Excel spreadsheet. The types of reports that you can generate are:! All user logins or logins for a specific user group! Authentication method usage! Connectivity type usage! Resource type usage Nokia Secure Access System v3.3 New Features Guide 43

44 2 New Features for Nokia Secure Access System v3.2 To generate a usage report 1. Choose General > Logging. 2. Click the View Reports tab to open the Summary Reports page. 3. Scroll down to the Select Report Type section and specify the type of report you want to generate. 4. Scroll down to the Select Time section and specify the period of time captured in the report. You can specify a range of hours for the current day or a range of hour for any combination of the past 7 days. 5. Scroll down to the Select Report Format section and specify how to present the report. You can specify HTML Table, Graph or Download as Excel File. 6. Scroll to the bottom of the page and click View Report. The report is generated and displays in the format that you selected. Note If you are exporting the report to an Excel spreadsheet, follow the prompts to download the file to the desired location on your system. 44 Nokia Secure Access System v3.3 New Features Guide

45 End-User Portal Enhancements End-User Portal Enhancements Nokia Secure Access System v3.2 enhances the appearance and organization of the end-user portal and provides increased flexibility for customizing the appearance of the end-user portal. This section describes these new features including:! End-User Portal Changes! Customizing the End-User Portal End-User Portal Changes The end-user portal has been updated and reorganized into four tabs: Home, Web, File, and Applications. The Home tab is active when a user signs on. Users can configure their end-user portal to provide active links to commonly used resources, called bookmarks or favorites. These configurations include:! Adding bookmarks! Editing bookmarks! Hiding bookmarks! Deleting bookmarks For details about the user options available on the end-user portal, see the Nokia Secure Access System User Guide v3.2. Nokia Secure Access System v3.3 New Features Guide 45

46 2 New Features for Nokia Secure Access System v3.2 Customizing the End-User Portal Nokia Secure Access System v3.2 provides new tools to customize the appearance of the enduser portal. This section describes:! Managing End-User Portal Elements! Customizing the Sign-on Page! Customizing End-User Portal Pages Managing End-User Portal Elements Use the Manage Images page to review the images available for end-user portal customization and to add, modify, or delete custom images. Note You cannot remove or modify the default images displayed on the Manage Images page. You can, however, remove these images from the sign-on page and end-user portal pages that end users see. 46 Nokia Secure Access System v3.3 New Features Guide

47 End-User Portal Enhancements To add a custom image 1. From the Nokia Secure Access System configuration menu, choose Appearance > Manage Elements to open the Manage Images page. 2. Scroll down to the Upload a New Image section. 3. Click the Browse button, navigate to the image you want to upload, and select it. 4. Enter an Image Description. 5. Click Save Settings. To delete a custom image 1. From the Nokia Secure Access System configuration menu, choose Appearance > Manage Elements to open the Manage Images page. 2. Scroll down to the custom image you want to remove. 3. Check the delete box next to the item you want to remove. 4. Scroll to the bottom of the page and click Save Settings. Nokia Secure Access System v3.3 New Features Guide 47

48 2 New Features for Nokia Secure Access System v3.2 To replace a custom image 1. From the Nokia Secure Access System configuration menu, choose Appearance > Manage Elements to open the Manage Images page. 2. Scroll down to the custom image you want to replace. 3. Click Replace to open the Replace Image page. 4. Click the Browse button, navigate to the image you want to upload to replace the current image, and select it. 5. Enter an Image Description. 48 Nokia Secure Access System v3.3 New Features Guide

49 End-User Portal Enhancements 6. Click Replace Image. Customizing the Sign-on Page Nokia Secure Access System v3.2 provides an option to customize the sign-on page that users see when they login to the end-user portal. You can:! Change the image displayed on the sign-on page.! Change the messages displayed to users during the sign-on process.! Change the general page settings.! Change the sign-on page colors. The default sign-on page displays the Nokia logo and colors. To change the sign-on page image 1. From the Nokia Secure Access System configuration menu, choose Appearance > Sign-on to open the Sign-on Page Appearance page. 2. Scroll down to the Configure Images section. 3. Select the image you want displayed on the sign-on page from the drop-down list. For information on adding an image to the drop-down list, see Managing End-User Portal Elements on page Scroll to the bottom of the page and click Save Settings. Nokia Secure Access System v3.3 New Features Guide 49

50 2 New Features for Nokia Secure Access System v3.2 To change the user sign-on messages 1. From the Nokia Secure Access System configuration menu, choose Appearance > Sign-on to open the Sign-on Page Appearance page. 2. Scroll down to the Messages section. 3. In the spaces provided, type the welcome message you want to display on the sign-on page and error messages for unsuccessful password and certificate authentication attempts. 4. Click Save Settings. To change the general sign-on page properties 1. From the Nokia Secure Access System configuration menu, choose Appearance > Sign-on to open the Sign-on Page Appearance page. 2. Scroll down to the General Page Settings section. 3. To remove the Nokia copyright notice, uncheck the Show Copyright Nokia Notice On Sign On/Off Pages checkbox. 4. To replace the Nokia Secure Access System product name in the sign-on page banner, check the Replace Phrase Nokia Secure Access System with checkbox, and enter the text you want to appear in its place. 5. Scroll to the bottom of the page and click Save Settings. To change the sign-on page color scheme 1. From the Nokia Secure Access System configuration menu, choose Appearance > Sign-on to open the Sign-on Page Appearance page. 2. Click the Colors tab. 50 Nokia Secure Access System v3.3 New Features Guide

51 End-User Portal Enhancements 3. Scroll down to the Color Themes section. 4. Select a color theme from the drop-down list and click Populate Form. 5. Scroll to the bottom of the page and click Save Settings. To customize sign-on page colors 1. From the Nokia Secure Access System configuration menu, choose Appearance > Sign-on to open the Sign-on Page Appearance page. 2. Click the Colors tab. 3. In the Title and Banner Area section choose the colors for the sign-on page title. 4. Select one of the following options.! Click the Safe link to choose a Web safe color! Click the X11 link to choose a color from the X Windows X11 color set! Enter a hexadecimal color value or type a color name in the text box. 5. In the Center Box section, choose the colors for the other elements of the sign-on page. 6. Choose one of the following options.! Click the Safe link to choose a Web safe color! Click the X11 link to choose a color from the X Windows X11 color set! Enter a hexadecimal color value or type a color name in the text box. 7. Scroll to the bottom of the page and click Save Settings. Nokia Secure Access System v3.3 New Features Guide 51

52 2 New Features for Nokia Secure Access System v3.2 Customizing End-User Portal Pages Nokia Secure Access System v3.2 provides an option to customize the end-user portal pages that are displayed to users after login. You can customize end-user portal pages in any or all of the following ways:! Change the images displayed at the top and bottom of the end-user portal.! Change the banner message and access error message.! Change the general page settings.! Change the default channel and filter names.! Change the name, layout, and content of the tabs displayed to users.! Change the end-user portal colors To customize end-user portal images 1. From the Nokia Secure Access System configuration menu, choose Appearance > Portal to open the User Portal Appearance page. 2. Scroll down to the Configure Images section 3. Select the image you want to display in the top right corner of the end-user portal from the Banner Image drop-down list. For information on adding an image to the drop-down list, see Managing End-User Portal Elements on page Select the image you want to display in the bottom right corner of the end-user portal from the Footer Image drop-down list. For information on adding an image to the drop-down list, see Managing End-User Portal Elements on page Scroll to the bottom of the page and click Save Settings. 52 Nokia Secure Access System v3.3 New Features Guide

53 End-User Portal Enhancements To change the end-user portal messages 1. From the Nokia Secure Access System configuration menu, choose Appearance > Portal to open the User Portal Appearance page. 2. Scroll down to the Messages section. 3. In the spaces provided, type any message you want to appear in the end-user portal banner and the message to display when the user is denied access to a resource. 4. Scroll to the bottom of the page and click Save Settings. To change the general page settings 1. From the Nokia Secure Access System configuration menu, choose Appearance > Portal to open the User Portal Appearance page. 2. Scroll down to the General Page Settings section. 3. Click the appropriate checkbox to enable or disable the general settings. You can:! Enable or disable large icons for Web, File, and Applications channels.! Display or hide the Nokia copyright notice. 4. Scroll to the bottom of the page and click Save Settings. Nokia Secure Access System v3.3 New Features Guide 53

54 2 New Features for Nokia Secure Access System v3.2 To change the default names of channels or filters 1. From the Nokia Secure Access System configuration menu, choose Appearance > Portal. 2. Click the channels tab to open the Customize Channels for the User Portal page. 3. For each channel or filter name you want to change, click the checkbox next to the default name and enter the new name in the corresponding text box. 4. Scroll to the bottom of the page and click Save Settings. To hide a tab 1. From the Nokia Secure Access System configuration menu, choose Appearance > Portal. 2. Click the Tabs tab open the Customize Tabs on the User Portal page. 54 Nokia Secure Access System v3.3 New Features Guide

55 End-User Portal Enhancements 3. Scroll down to the configuration section for the tab you want to remove. 4. Uncheck the Show This Tab on the Portal checkbox. 5. Scroll to the bottom of the page and click Save Settings. Note You cannot remove the Home tab from the end-user portal. You can, however, change the name and layout of the Home tab. To change the default name of an end-user portal tab 1. From the Nokia Secure Access System configuration menu, choose Appearance > Portal. 2. Click the Tabs tab to open the Customize Tabs on the User Portal page. 3. Scroll down to the configuration section for the tab you want to rename. 4. Check the Override the Name of This Tab checkbox and type the new name for the tab in the text box. 5. Scroll to the bottom of the page and click Save Settings. Nokia Secure Access System v3.3 New Features Guide 55

56 2 New Features for Nokia Secure Access System v3.2 To change the layout of a tab 1. From the Nokia Secure Access System configuration menu, choose Appearance > Portal. 2. Click the Tabs tab to open the Customize Tabs on the User Portal page. 3. Scroll down to the configuration section for the tab you want to customize. 4. Select the number of channels you want to display on the page from the Layout For This Tab drop-down list. 5. Scroll to the bottom of the page and click Save Settings to enable the new channel layout. 6. Return to the configuration section for the tab you want to customize. 7. For each channel, select the item to display from the drop-down list on the left and the filter to use from the drop-down list on the right.! --- (the default) displays the filter picker with All selected.! All lists all the resources of the specified type available to the user.! Mine shows only the resources of the specified type defined by the user.! Company shows only the resources for the specified type defined by the administrator. 8. When you have configured all the channels, scroll to the bottom of the page and click Save Settings. 56 Nokia Secure Access System v3.3 New Features Guide

57 End-User Portal Enhancements To change the end-user portal color scheme 1. From the Nokia Secure Access System configuration menu, choose Appearance > Portal. 2. Click the Colors tab to open the Customize Colors for the User Portal page 3. Scroll down to the Color Themes section. 4. Select a color theme from the drop-down list and click Populate Form. 5. Scroll to the bottom of the page and click Save Settings. To customize end-user portal colors 1. From the Nokia Secure Access System configuration menu, choose Appearance > Portal to open the Sign-on Page Appearance page. 2. Click the Colors tab to open the Customize Colors for the User Portal page 3. Scroll through the page and customize the colors for the various objects. Nokia Secure Access System v3.3 New Features Guide 57

58 2 New Features for Nokia Secure Access System v Choose one of the following options.! Click the Safe link to choose a Web safe color! Click the X11 link to choose a color from the X Windows X11 color set! Enter a hexadecimal color value or type a color name in the text box. 5. When you have finished picking colors, scroll to the bottom of the page and click Save Settings. 58 Nokia Secure Access System v3.3 New Features Guide

59 High Availability Improvements High Availability Improvements Previous versions of Nokia Secure Access System offered a variety of techniques to support the high availability network requirements of different enterprises. Nokia Secure Access System v3.2 further enhances this support with the addition of these new features:! Certificate Sharing! Session state sharing! Internal load balancing! Support for Round Robin DNS load distribution All these features work with the Nokia Secure Access System configuration sharing feature. For detailed information on configuration sharing, see the Nokia Secure Access System Technology Overview and the Nokia Secure Access System Configuration Guide. The Nokia IPSO VRRP feature can also be used in Nokia Secure Access System high availability and load sharing configurations. For detailed information about Nokia IPSO VRRP, see the Nokia Network Voyager Reference Guide. This section describes how to use the new high availability features including:! Using Nokia IPSO VRRP with Nokia Secure Access System! Enabling Certificate Sharing! Configuring Session State Sharing! Configuring the VRRP to FQDN and Certificate Table! Configuring Internal Load Balancing! Configuring DNS Round Robin Load Distribution Using Nokia IPSO VRRP with Nokia Secure Access System Nokia IPSO VRRP can be used in a variety of Nokia Secure Access System high availability and load balancing configurations. This section outlines the most common configurations. For detailed information about Nokia IPSO VRRP, see the Nokia Network Voyager Reference Guide.! VRRP legacy high availability This configuration, supported by previous version of Nokia Secure Access System, allows a gateway to assume responsibility for traffic destined to an IP address on a failed gateway. When the gateway fails, however, all session state information is lost and the user must re authenticate on the gateway that assumes responsibility for the traffic. All nodes in this configuration have the same VRRP priority and priority delta.! VRRP with state sharing When VRRP is used in conjunction with the new state sharing feature, it shares the end-user portal session information with other gateways. Should a gateway fail, a session is handed to another gateway without the current session failing. Therefore, there is no need for the current user to log in again. Nokia Secure Access System v3.3 New Features Guide 59

60 2 New Features for Nokia Secure Access System v3.2! VRRP with load balancing When VRRP to FQDN and Certificate Table is used with the load balancing option, the table is used to build the load balancing node list. This table is not required for load balancing to work. If it is not configured, then load balancing will use the Config Sharing group list to build the load balancing node list. Note VRRP with load balancing only works with VRRP managed circuit, and not with VRRPv2.! VRRP with state sharing and load balancing VRRP can be used in with both state sharing and load balancing at the same time. This configuration both balances new sessions among VRRP IP addresses during normal operations and provides session failover in the event of a system failure. In these configurations, a VRRP ID and VRRP IP address are assigned to each node in the group and each node is the master for a specific VRRP ID and VRRP IP address. For example, in a three node group you have 3 VRRP IDs and 3 VRRP IP addresses. Priorities for each node in the group are different. The priority deltas are the same, but must be large enough to change the priority of the primary node to less than the priority of the lowest node in the event of a failure. Table 2 shows an example VRRP configuration for state sharing and load balancing. Table 2 Example VRRP Configuration for State Sharing and Load Balancing VRRP ID Node Priority Priority Delta 5 Node Node Node Node Node Node Node Node Node Nokia Secure Access System v3.3 New Features Guide

61 High Availability Improvements Note Nokia Secure Access System reads VRRP priority settings at startup. If you change the VRRP priorities in Nokia Network Voyager, you must restart Nokia Secure Access System for the changes to become active in the gateway. Note You may need to enable the VRRP listening interfaces in the global Network tab if you create the IPSO VRRP configuration after Nokia Secure Access System is installed. Since sessions are balanced among VRRP IP addresses in this configuration, you also need a FQDN DNS entry that end user use to access the gateway for each VRRP IP address. In addition you need a certificate linked to each VRRP IP address and FQDN to prevent certificate errors when user sessions are moved from one gateway to another. Enabling Certificate Sharing Certificate sharing adds the local server certificates to the list of information shared among the nodes in a configuration sharing group. This permits users whose session is moved to another node because of a system failover or load balancing to continue working without seeing certificate warnings. To enable certificate sharing 1. Create or join a configuration sharing group. For detailed instructions, see the Nokia Secure Access System Configuration Guide. 2. From the Nokia Secure Access System configuration menu of the master node, choose General > Config Sharing to display the Overview page. 3. Scroll down to the Sharing Options section. 4. Check the Share Server Certificate Information Between Gateways box. 5. Scroll to the bottom of the page and click Save Settings. Configuring Session State Sharing When a user logs on to a Nokia Secure Access System gateway, a large amount of information about the user and their current connections is cached in memory. This information makes up the user's state and is associated with a user session ID. Nokia Secure Access System v3.3 New Features Guide 61

62 2 New Features for Nokia Secure Access System v3.2 When state sharing is enabled, each gateway in the state sharing group is associated with a buddy gateway on start up. Each of the gateways in the buddy pair maintains a copy of all the current user session state information of its buddy. If one of the gateways fails, the session ID in incoming requests is used to retrieve session information for the users of the failed system. This allows users to continue working without interruption. Note Secure Connector and port-forwarding sessions establish persistent connections to the gateway on which they were created. There is no state sharing for these connections. In load balancing configurations, these connections remain on the gateway on which they were created even if other parts of the user session are moved to another gateway. In high availability failovers, Secure Connector and port forwarding state information is lost and the user must restart those resources. In Nokia Secure Access System v3.2, the configuration sharing Overview page has been modified to show additional information about state sharing. In the first table:! IP Port has been defined to show the port number used by the configuration sharing group.! The Label of This Node column has been renamed FQDN of This Node to indicate that a fully qualified domain name is required for the new features. IP addresses are still supported for legacy configurations. In the second table:! The Node Label column has been renamed Node FQDN to indicate a fully qualified domain name is required for the new features.! A State Group column has been added to show to the name of the state group. Note Secure Connector per user IP address assignments are not supported in session state sharing or load balancing configurations. 62 Nokia Secure Access System v3.3 New Features Guide

63 High Availability Improvements To enable state sharing 1. Define the configuration sharing group to use for state sharing. For detailed instructions, see the Nokia Secure Access System Configuration Guide. When creating your configuration sharing group, you must use a fully qualified domain names for the nodes. Do not use IP addresses. 2. If you are sharing state across a VRRP group, configure the VRRP to FQDN and Certificate Table. For detailed instructions, see To configure the VRRP to FQDN and Certificate Table on page From the Nokia Secure Access System configuration menu, choose General > Config Sharing. 4. Click the Load Balancing tab to open the Manage Load Balancing page. 5. Scroll down the page to the State Sharing section. 6. Check the Share User State Between Nodes in the Group check box. 7. Scroll to the bottom of the page and click Save Settings. Configuring the VRRP to FQDN and Certificate Table Use the VRRP to FQDN and Certificate Table with internal load balancing and state sharing configurations when VRRP is active. This table associates the VRRP FQDN that end users specify to access the gateway to the VRRP IP address and the certificate associated with the address. The table also maps the VRRP information to the gateway FQDN. The mapping of certificates to VRRP addresses is used during fail overs to seamlessly move the session to another node without causing certificate warnings for the end user. The mapping of the VRRP FQDN to the gateway FQDN is used during load balancing to redirect requests. To configure the VRRP to FQDN and Certificate Table 1. Determine the VRRP IP addresses and VRRP FQDNs for each node in the group. 2. Create DNS entries to associated each VRRP IP address with the corresponding FQDN. 3. Use Nokia Network Voyager to configure VRRP for each node in the group. VRRP ID, priority and delta priority, and backup IP addresses are required. For detailed instructions, see the Nokia Network Voyager Reference Guide. Nokia Secure Access System v3.3 New Features Guide 63

64 2 New Features for Nokia Secure Access System v3.2 Note To ensure that the node responsible for the address is normally the master, make sure the VRRP IP address associated with each node has the highest priority on that node. 4. Create a server certificate for each VRRP IP address. 5. Enable certificate sharing. For detailed instructions, see To enable certificate sharing on page If you are using session state sharing, enable session state sharing. For detailed instructions, see To enable state sharing on page From the Nokia Secure Access System configuration menu, choose General > Config Sharing. 8. Click the Load Balancing tab to open the Manage Load Balancing page. 9. Scroll down the page to the Use VRRP to Domain and Certificate Table section. 10. Check the Use VRRP to Domain and Certificate Table check box. 11. For each node in your group the following information is required:! Node Name This column is automatically populated with the FQDNs of all the VRRP nodes when VRRP is detected on the master node. If VRRP is not enabled, this column shows the FQDNs for all the nodes in the configuration sharing group. 64 Nokia Secure Access System v3.3 New Features Guide

65 High Availability Improvements! VRRP IP The virtual IP address (Backup Address in Nokia Network Voyager) for the VRRP ID.! VRRP FQDN The fully qualified domain name that end users use to address the gateway. The external DNS must contain an entry that associates this FQDN with the VRRP IP address.! Certificate If certificate sharing is enabled (see Enabling Certificate Sharing on page 61), this column is automatically populated with the server certificates in the configuration sharing group. Otherwise, only the local certificate is shown. Choose the certificate associated with the VRRP IP address. 12. In the VRRP Domain text box enter a domain mask to describe which fully qualified domain names will be considered to be in the group domain. For example, enter example.com if you want to include nodes in both the east.example.com and west.example.com. 13. Scroll to the bottom of the page and click Save Settings. Configuring Internal Load Balancing Use internal load balancing to balance user connections across the configuration sharing group using round robin URL redirects. For each user logon, the master node determines which gateway received the last logon request and redirects the current request to the next gateway on the load balancing list. All requests for the remainder of the user session are then directed to the specified gateway. Internal load balancing can be used with or without VRRP. For an explanation of the most common configurations, see Using Nokia IPSO VRRP with Nokia Secure Access System on page 59. To enable internal load balancing 1. Define the configuration sharing group to use for load balancing. For detailed instructions, see the Nokia Secure Access System Configuration Guide. 2. If you are load balancing across a VRRP group, configure the VRRP to FQDN and Certificate Table. For detailed instructions, see To configure the VRRP to FQDN and Certificate Table on page From the Nokia Secure Access System configuration menu, choose General > Config Sharing. 4. Click the Load Balancing tab to open the Manage Load Balancing page. Nokia Secure Access System v3.3 New Features Guide 65

66 2 New Features for Nokia Secure Access System v Scroll down the page to the Load Balancing section. 6. Check the Enable Load Balancing Between Nodes in the Group check box. 7. Scroll to the bottom of the page and click Save Settings. Configuring DNS Round Robin Load Distribution DNS round robin load distribution can balance user connections across the load balancing list by using round robin IP assignments at the DNS server. For each FQDN resolution request, the DNS server determines which IP address was returned for the last request, and then returns the IP address in the next A record for that domain name. DNS round robin load distribution must be used with VRRP since the DNS server does not know when a Nokia Secure Access System gateway is unavailable. In this configuration, you define a single VRRP FQDN and multiple VRRP IP addresses. To use round Robin DNS, you must also have state sharing configured. This is because a user may be redirected to a different IP address, depending on DNS time-outs and the frequency of queries of the DNS server by the user system. This may move the session from one node to another. With state sharing, the session will move transparently. To configure DNS round robin load balancing 1. Configure VRRP for the sharing group. For detailed instructions, see To configure the VRRP to FQDN and Certificate Table on page Add the VRRP FQDN and VRRP IP addresses to DNS server. For detailed information on configuring DNS round robin, see the documentation for your DNS server. Client Integrity Scan Improvements Nokia Secure Access System v3.2 provides a variety of templates to assist the administrator who is configuring Client Integrity Scan (CIS) rules. Client Integrity Scanning is a Java-based feature that works in conjunction with Access Control Lists (ACLs). For more information about CIS and ACLs, see the Nokia Secure Access System Configuration Guide and the Nokia Secure Access System Technology Overview. Using templates, you can create CIS rules to:! Look up single or multiple Windows registry keys using the REGISTRYKEY_CHECK template.! Check for single or multiple running processes using the PROCESS_CHECK template.! Provide an integrity check for a single, or multiple files using the FILE_CHECK template. 66 Nokia Secure Access System v3.3 New Features Guide

67 Client Integrity Scan Improvements! Locate the version of the client Windows operating system, along with any service pack details using the OS_CHECK template.! Check for specified antivirus software AV_SOFTWARE template.! Copy the managed script to an editable script Once configured, the CIS rules that you create will be saved to the configuration database. You can also choose multiple script rules for creating a new managed script. To configure a new scan script rule 1. From the Nokia Secure Access System configuration menu, choose End-Point Security > Client Integrity Scan. 2. Click the Script Rules tab to open the Script Rules page. 3. Use the drop-down list to select the template for the type of scan you want to create. The template for that Script Rule opens. Nokia Secure Access System v3.3 New Features Guide 67

68 2 New Features for Nokia Secure Access System v3.2 These steps describe how to use the process check template to create a new scan rule. Each of the templates vary, depending on the selection from the drop-down list. The following is an example of the process check template. 4. Enter a name for the new script rule. 5. Enter a brief description to easily identify the purpose of this script. 6. Using the drop-down list, select the variable to use for this scan rule. 7. Specify the type of process that you want to scan for by clicking the check box, and entering the process name. Note You can view process names from the Windows Task Manager by clicking the Processes tab. 8. Repeat for each process that you want this scan to check for. 9. Click Add More Lines if you want to check for more than two processes. 10. Click Save Changes when you are finished. 68 Nokia Secure Access System v3.3 New Features Guide

69 Secure Connector Improvements Secure Connector Improvements There have been a number of improvements to the security and configuration of the Nokia Secure Access System, Secure Connector. These improvements include the following:! Secure Connector IP Assignment Improvements! Multiple WINS, DNS, Domain Suffix Support Secure Connector IP Assignment Improvements Nokia Secure Access System v3.2 offers increased flexibility in assigning IP addresses for Secure Connector clients. In previous versions, all client addresses were assigned from a single address pool and the available addresses could not be on the same subnet as the gateway. In Nokia Secure Access System v3.2:! IP addresses on the same subnet as the Nokia Secure Access System gateway are valid addresses for Secure Connector clients. This relieves administrators from the burden of creating and maintaining routable IP address ranges for Secure Connector clients if free addresses on the gateway subnet are available. IP addresses outside the local subnet can still be used, but you must make sure that the path from internal resources used by the clients to the client addresses is routed through the Nokia Secure Access System gateway. When addresses on the same subnet as the gateway are used, the gateway automatically creates Proxy Address Resolution Protocol (ARP) table entries to accept datagrams for those addresses and forward them to the Secure Connector clients. If the addresses are removed from the address pool, the ARP table entries are automatically removed so that default network behavior is restored.! You can assign a specific IP address to a specific user. Note Per-user IP address assignments are not supported in session state sharing or load balancing configurations.! You can assign an IP address pool to a specific user group. The global IP address pool, individual IP address assignments, and the group IP address pool features can be used in any combination. When more than one IP address feature is used, the following precedence is used to determine how addresses are assigned:! User IP address if specified! An address from the group address pool if available! An address from the global address pool Nokia Secure Access System v3.3 New Features Guide 69

70 2 New Features for Nokia Secure Access System v3.2 To assign a specific IP address or IP address pool 1. From the Nokia Secure Access System configuration menu, choose Global Properties > Secure Connector. 2. Click the IP Assignment tab to open the Secure Connector IP Assignment page. 3. In the Allocate Client Addresses section, specify the global IP address pool as a comma separated list of subnets in IP Address/Mask Length format. For example, /24.! Local addresses (addresses on the same subnet as the gateway) can be specified with any mask length. Specify single addresses with a mask length of 32.! Remote addresses (addresses that must be routed to the gateway) must be specified as subnets of at least four addresses. In other words, the mask length must be less than or equal to (optional) To assign specific addresses to individual users: a. Scroll down to the Reserve Client Addresses section. b. Enter the user s gateway login name in the text box provided. c. Enter the IP address they will use in the text box provided. The IP address must be from the global address pool. 70 Nokia Secure Access System v3.3 New Features Guide

71 Secure Connector Improvements d. Click Add More as needed to add additional lines to the table. 5. (optional) To reserve specific address pools for specific groups: a. Scroll down to the Reserve Client Addresses section. b. Select a group from the dropdown list. c. Enter a comma-separated list of subnets to use as the address pool for the group. The IP address must be from the global address pool. d. Click Add More as needed to add additional lines to the table. 6. When you have finished specifying IP addresses, scroll to the bottom of the page and click Save Settings. Note Use the Disable check box next to an address to temporarily disable individual or group IP address assignment. Use the Delete check box to permanently remove an assignment. Multiple WINS, DNS, Domain Suffix Support Nokia Secure Access System v3.2 expands configuration of Secure Connector to include the support of up to 10 WINS and DNS server entries, along with support for defining a domain suffix. The Secure Connector configuration page reflects these additional configuration options. Nokia Secure Access System v3.3 New Features Guide 71

72 2 New Features for Nokia Secure Access System v3.2 To add multiple WINS, DNS server entries, and a domain suffix 1. From the Nokia Secure Access System Configuration menu, choose Global Properties > Secure Connector to open the Secure Connector Configuration page. 2. Scroll down to DNS Server Configuration in the Server Settings section. 3. In the DNS Server Configuration pane, enter the DNS server IP address. You can enter up to 10 DNS server addresses. 4. (Optional) Click Add More Lines to configure more than three DNS servers. Note Be sure to save changes before adding more lines. Failure to do so will delete the DNS information that you have just configured. If you want to provide the DNS suffix for resolving host names that are not specified as fully qualified domain names, enter the suffix in the space provided. For example, myschool.edu or example.com. 5. In the WINS Server Configuration pane, enter the WINS server IP address. You can enter up to 10 WINS server addresses. 6. (Optional) Click Add More Lines to configure more than three WINS servers. Note Be sure to save changes before adding more lines. Failure to do so will delete the WINS information that you have just configured. 7. Click Save Changes when you are finished. 72 Nokia Secure Access System v3.3 New Features Guide

73 End-Point Security Scanning End-Point Security Scanning Network security has been significantly enhanced in this release with the addition of End-Point Security Scanning for Nokia Secure Connector clients. End-Point Security Scanning allows the system administrator to configure individual scan rules and groups of rules to ensure that a client requesting access to the gateway meets your corporate standards for security requirements. You can also configure End-Point Security Scanning to check for running processes (such as a keystroke logging) and any known harmful executable that may be present on the client machine. Configuring End-Point Security Scanning consists of defining the following:! Client Checks Using the templates provided, the administrator can specify the type of check to be run on the client machine.! Check Groups A group of individual client checks. Grouping the individual client checks provides the ability to scan for multiple items on the client device at one time.! Scan Groups A grouping of individual check groups create a scan group.! Scan Rules The scan rules determine the types of scans to be performed on the individual clients, based on user name, user group, and other variables such as IP address or operating system. Configuring Client Checks The first step in setting up End-Point Security Scanning is to identify and configure the individual elements that the scan will check for on a client device requesting access to the network resources. You configure these checks to cover each type of security check that you want run on a Secure Connector client device, regardless of the individual user or user groups at this point. After you have configured the client checks, you can group them together and apply them as necessary to users and user groups. To assist you in this task, Nokia Secure Access System v3.2 provides two types of templates: standard and custom. The standard template contains the default elements common security software. Using this type of template simplifies the task of client check configuration. Custom templates are provided for those who want or need to configure more detailed client checks. The following section provides information for using a Standard template to configure a client check. For details and information about using a custom template to create a client check, see Using Custom Templates on page 78. About Failed Client Checks You can configure an error message to display to a Secure Connector user should a client check fail. This error message can contain a URL link to a corrective Web page (located either on your enterprise intranet, or the Internet) where the user can take the appropriate corrective action. If the Secure Connector client is configured on the gateway to allow access after the corrective action has been taken, the client machine will be automatically rescanned, and access will be granted. Nokia Secure Access System v3.3 New Features Guide 73

74 2 New Features for Nokia Secure Access System v3.2 Note You can configure resources to allow restricted access to Secure Connector clients. Secure Connector clients who fail an End-Point Security scan will still be able to access those resources configured to allow restricted access. To configure a client check 1. From the Nokia Secure Access System configuration menu, choose End-Point Security > Secure Connector Scan. 2. Click the Client Check tab. The Manage Client Checks window opens. 3. Select the type of check you want to configure from the drop-down list. 74 Nokia Secure Access System v3.3 New Features Guide

75 End-Point Security Scanning The drop-down list contains two types of templates, standard and custom. Pictured below is the list of the available Standard templates.. The Custom template list contains various items that you can use to create a more specific client check. See Using Custom Templates on page 78 for details about using Custom Templates. The template list is shown below. Each of these templates produces a separate configuration (properties) page when selected. Using Standard Templates The Standard Templates list contains the most commonly used types of security applications for antivirus and firewall software. Nokia Secure Access System v3.3 New Features Guide 75

76 2 New Features for Nokia Secure Access System v3.2 Shown below is the template for a Kaspersky antivirus software client check. This template is one of the many standard antivirus templates. Standard templates typically contain the following items:! Client Check Name Enter a unique name for this client check.! Error String Enter the text of the error message you want displayed to the user if the client check fails.! Corrective URL Enter the URL of the download page for corrective actions in the event of a failed scan.! Internal URL Enter the URL of the download page for corrective actions in the event of a failed scan.! Create as a Web Resource Allows you to configure this link as a Web Resource on the user portal page.! DAT files Allows you to specify currency values for AV DAT files. The following section describes how to create a McAfee antivirus client check using a standard template. 76 Nokia Secure Access System v3.3 New Features Guide

77 End-Point Security Scanning To configure a client check using a Standard Template 1. From the Nokia Secure Access System configuration menu, choose End-Point Security > Secure Connector Scan. 2. Click the Client Check tab. The Manage Client Checks window opens. 3. From the drop-down list, select McAfeeAV from the Standard template list. The Properties for McAfeeAV Client Check window opens. 4. Enter a descriptive name for this client check. For example, McAfee AV Installed. 5. Enter the text of the error message you want displayed to the user if this client check fails. For example, You must update the McAfee antivirus software you have installed. Click the link below to download the update. 6. Enter the URL to the Web page containing the update or executable.! If the URL is located on your corporate intranet, check Internal URL.! If you want to make this URL available as a Web resource from the user portal page, click Create as a Web Resource. 7. Indicate the desired currency of the antivirus dat files by selecting one of the check boxes. Nokia Secure Access System v3.3 New Features Guide 77

78 2 New Features for Nokia Secure Access System v3.2 For example, you can specify that the antivirus DAT files are to be no more than 5 days old by checking the first check box, and entering the value of 5 in the number of days field. Alternatively, you could select the second check box, and enter a specific threshold date that would apply to the DAT files. 8. Click Save Settings when you are finished. 9. Click Back to Client Checks. The new check is shown in the list of client checks. Once you have configured the client checks you want using the standard template, you can configure more detailed checks (such as a check for a specific registry key entry) using the custom templates as described below. When you are finished configuring client checks, you then can put these individual checks in to check groups. See Configuring a Check Group on page 83 for more information. Using Custom Templates Custom templates are provided to help you configure very specific security scans that address specific applications, port scanning, files and other processes that are specific your enterprise. For example, you would use a custom template to configure a check to ensure that a specific file is in present the expected location on the client machine, or that a certain process is running. With the v3.2 release of Nokia Secure Access System, the following types of checks can be configured by using the custom templates.! A File and/or Folder exists by providing the known location on the client system, or other variable, this check locates a specific file or folder.! Process Running ensures that the process specified is running on the client, without having to provide a specific location. You can also configure the client check to fail if a specified process is not running, and should be.! Security Patch or Hotfix ensures that the client machine has the required security patches or hotfixes for the installed operating system.! Access URL can deny access to a specific URL.! Device Driver Loaded checks to ensure that the proper device driver is present and running.! Running Service checks the services list to ensure that the specified service is running.! Registry Entries when a registry key is selected to locate a folder, a list of major HKEY values appear. Use the list to specify the registry key, enter the base key information, and the folder (or file) entry name you want to locate.! INI files searches for a specific INI file in the Windows directory. You must supply the section name (displayed in square brackets in the INI file) and the entry name (the value preceding the equal sign [=] in the INI file.)! Port Scanning Activity checks the specified port numbers (UDP or TCP) for activity.! Search of a File for Specific String checks the file specified for the a matching string or regular expression. You use custom templates to configure each distinct type of client scan that you want run on a Secure Connector client seeking access. You can then customize these individual client checks 78 Nokia Secure Access System v3.3 New Features Guide

79 End-Point Security Scanning by grouping them to form a client check group, or Check Group. See Configuring a Check Group on page 83 for more information. With the custom template, you can also select the option to Negate this Client Check. This option allows you to ensure that the application or process specified in this client check is not running or present on the system. This is most useful for ensuring that harmful processes such as keystroke logging or known harmful executable files are not present. For the purposes of illustration, the following sections show how to configure two types of client checks using a custom template: a check to search for a specific file (or folder), and a check for a registry entry. To configure a file (or folder) check using a custom template 1. From the Nokia Secure Access System configuration menu, choose End-Point Security > Secure Connector Scan. 2. Click the Client Check tab. The Manage Client Checks window opens. 3. From the New Client Check of Type drop-down list, scroll down to the Custom template section, and select File/Folder Exists. Nokia Secure Access System v3.3 New Features Guide 79

80 2 New Features for Nokia Secure Access System v3.2 The properties of File/Folder Exists Client Check window opens. 4. Enter a descriptive name for the client check. For example, Securityfile.txt Check 5. If you want to ensure that this particular file is NOT present on the client system, check the Negate this Client Check check box. 6. Enter an error message in the Error String text box. 7. Enter a URL to a Web page for corrective action. 80 Nokia Secure Access System v3.3 New Features Guide

81 End-Point Security Scanning! If this URL is located on the corporate intranet, check the Internal URL check box.! If you want to create this Web page as a resource, check the Create as a Web Resource check box. 8. To check that a specific folder is present, select the Folder Specification check box and choose the type of folder location search to perform from the drop-down list. The options are:! File path specify the exact location of the folder (or file) on the client machine; for example, C:\bin\file.txt! CSIDL location use a CSIDL variable to search for the folder location. When selected, a list of the most common CSIDL entries appears in a drop-down list. Use this list to specify the CSIDL variable to use for the search.! Registry key use registry values to locate the folder. When a registry key is selected to locate the folder, a list of the major HKEY values appears. Use this list to specify the registry key to use, enter the base key information, and the folder (or file) entry name that you are looking for.! INI file search for a specific INI file in the Windows directory. You must supply the section name (displayed in square brackets in the INI file) and the entry name (the value preceding the equal sign = in the INI file). 9. To check for a specific file, select the File check box and select the type of file search you want to perform a path, registry, or INI search. See the above list for a description of these search variables. 10. Enter the File MD5 Hash algorithm, if available (Optional). 11. Enter the digital signature, if available (Optional). 12. Enter the build checksum, if available (Optional). 13. Click Save Settings. The new client check is added to the list of client checks. To configure a client registry check 1. From the Nokia Secure Access System configuration menu, choose End-Point Security > Secure Connector Scan. 2. Click the Client Check tab. The Manage Client Checks window opens. 3. From the New Client Check of Type drop-down list, scroll down to the Custom template section, and select Registry. Nokia Secure Access System v3.3 New Features Guide 81

82 2 New Features for Nokia Secure Access System v3.2 The Properties of Registry Client Check window opens. 4. Enter a descriptive name for the client check. For example, HKEY_CURRENT_USER Check. 5. If you want to ensure that this Registry Key is NOT present on the client system, or that the result does not match the comparison you are performing, check the Negate this Client Check check box. 6. Enter an error message in the Error String text box. This message will be displayed to the user should the check fail. 7. Enter a URL to a Web page for corrective action, if desired.! If this URL is located on the corporate intranet, check the Internal URL check box. 82 Nokia Secure Access System v3.3 New Features Guide

83 End-Point Security Scanning! If you want to create this Web page as a resource, check the Create as a Web Resource check box. 8. Select the root key variable from the drop-down list. 9. Enter the base key information. Use any standard registry editor to obtain this information. 10. Select an operand from the drop-down list to compare the registry value to. The options are:! NONE! EQUAL_TO! LESS_THAN! GREATER_THAN! DELTA_DATE 11. Enter the entry name and entry value for this comparison. 12. Select a format from the drop-down list. 13. Click Save Settings. The registry check is added to the list of client checks. Configuring a Check Group A check group is a collection of separate client checks. By configuring a client check group, you can run multiple checks at the same time. For example, you can configure a single check group to run all the individual client checks for each allowed antivirus software application at once. To configure a check group 1. From the Nokia Secure Access System configuration menu, choose End-Point Security > Secure Connector Scan. 2. Click the Check Groups tab. Nokia Secure Access System v3.3 New Features Guide 83

84 2 New Features for Nokia Secure Access System v3.2 The Manage Check Groups window opens. 3. Click New Check Group. 84 Nokia Secure Access System v3.3 New Features Guide

85 End-Point Security Scanning The Properties of Check Group window opens. 4. Enter a unique name for this check group. 5. Enter an error message to redirect the user and a corrective URL should the check fail to meet the specified requirements. You can either direct them an internal or external URL. You can also create the link to appear on their portal page as a Web resource. 6. Select the operation from the drop-down list. The default is AND.! If you select AND, the scan will return successful result when all scan criteria are met.! If you select OR, the result will return a successful result when any one of the criteria are met. 7. Select client checks from the drop-down list in the Check Group Composition pane. Use the add and remove buttons to add more lines, or remove unwanted lines, respectively. Nokia Secure Access System v3.3 New Features Guide 85

86 2 New Features for Nokia Secure Access System v Click Save Settings when you are done. 9. Click Back to Check Groups. The new Check Group is added to the list of Check Groups. You can now put Check Groups together to form Scan Groups. Scan Groups combine various types of Check Groups to produce a comprehensive scan. Configuring a Scan Group You can group various individual Check Groups to form a Scan Group. A Scan Group performs all the individual checks that you have specified for the Check Group in a single scan. To create a scan group 1. From the Nokia Secure Access System configuration menu, choose End-Point Security > Secure Connector Scan. 2. Click the Scan Group tab. The Manage Scan Groups page opens. 3. Click New Scan Group. 86 Nokia Secure Access System v3.3 New Features Guide

87 End-Point Security Scanning The Properties for New Scan Group window opens. 4. Enter a unique name for this Scan Group. 5. Select the operation, AND or OR.! If you select AND, the scan will return successful result when all scan criteria are met.! If you select Or, the result will return a successful result if any one of the criteria are met. 6. Select the Check Groups for this San Group from the drop-down lists in the Scan Group Composition. 7. Click Save Settings when you are done with this Scan Group. 8. Click Back to Scan Groups when you are finished configuring all Scan Groups. Nokia Secure Access System v3.3 New Features Guide 87

88 2 New Features for Nokia Secure Access System v3.2 Configuring Scan Rules Once all the client checks, check groups, and scan groups have been configured, you can apply those checks to specific groups and users. When a client requests access to the gateway, all the scans configured for that client will be run, based on the user logon credentials, operating system, or SSL strength. To configure a scan rule 1. From the Nokia Secure Access System configuration menu, choose End-Point Security > Secure Connector Scan. 2. Click the Scan Rules tab. The End-Point Security Scanning Rules window opens. 3. Using the drop-down lists and options on this window, configure the following:! Apply Scan Group select the type of scan to be run from the configured Scan Groups list.! User Name if you want this to apply to a specific user, enter the user name.! User Group select the user group for this scan group from the configured User Groups list.! Variable select the variable to apply for this scan. Options are OS, Client IP Address, SSL strength (40, 56, or 128-bits encryption).! Variable Value use the drop-down list to select the variable value that corresponds to the selected variable, or enter the value manually (such as client IP address or SSL strength values). 88 Nokia Secure Access System v3.3 New Features Guide

89 End-Point Security Scanning! Scan rules every _ seconds Enter a value in seconds for the cycle of this scan. Caution Be sure to click Save Settings when you have finished configuring the Scanning Rules. If you select Add More Lines before you click Save Settings, all the Scanning Rules configuration information that you just configured will be lost. 4. Click Save Settings when you are finished. To add more End-Point Security Scanning Rules, click Add More Lines, and repeat the above steps 5.. Nokia Secure Access System v3.3 New Features Guide 89

90 2 New Features for Nokia Secure Access System v Nokia Secure Access System v3.3 New Features Guide

91 3 New Features for Nokia Secure Access System v3.1 This section describes the new features available in Nokia Secure Access System v3.1:! ActiveX for Port Forwarding! Dual Authentication! Single Sign-On Enhancements ActiveX for Port Forwarding Nokia Secure Access System v3.1 provides the option of using ActiveX controls or a Java applet for port forwarding of system resources. ActiveX port forwarding simplifies deployment issues and the Windows user experience, as downloading and installing the Sun Java Virtual Machine is no longer required. ActiveX port forwarding differs from Java port forwarding in the following ways:! When the ActiveX control launches, an ActiveX icon (shown below) is placed in the Windows system tray instead of the Java applet icon. l b Note If the Java Applet icon appears in the system tray instead of the Active X icon when port forwarding is started, either ActiveX port forwarding failed to launch, or the gateway did not recognize the browser as Internet Explorer.! Right-click the ActiveX icon to display a menu with the following items:! About provides information about the current version of the ActiveX port-forwarding control. This information can be helpful to customer support for troubleshooting.! Status displays a popup window that shows the status of the port-forwarding session. This is the same information provided in the applet window for Java-based port forwarding. For ActiveX port forwarding, click Hide to close the window without terminating the port-forwarding session. Nokia Secure Access System v3.3 New Features Guide 91

92 3 New Features for Nokia Secure Access System v3.1! Exit terminates the session and closes the ActiveX control. Closing the Internet Explorer browser window also terminates the session. ActiveX port forwarding is available only to Windows clients using the Internet Explorer browser. You can configure port-forwarding settings for these users in the following ways:! Java port forwarding only if ActiveX initialization fails! ActiveX port forwarding only! Java port forwarding only Note The first option, using Java only if ActiveX fails, is the default. Note For clients using a browser other than Windows Internet Explorer, Java-based port forwarding is always used, regardless of the configuration options set by the administrator. Port-forwarding configuration options are available in the Nokia Secure Access System configuration application under Resources >Port-Forwarding > Settings. Additional Port Forwarding Enhancements In addition to adding the ActiveX control for port forwarding, Nokia Secure Access System v3.1 offers the following enhancements to port forwarding. 92 Nokia Secure Access System v3.3 New Features Guide

93 Configuring Port Forwarding to Start Automatically With Nokia Secure Access System v3.1, the administrator can configure port-forwarding resources to automatically start when the user successfully logs on to the portal. Configuring this feature involves indicating that port-forwarding resources start automatically, selecting the users or user groups for which this applies, and indicating which resources will be automatically started. To configure port-forwarding resources to start automatically 1. From the Nokia Secure Access System configuration menu, choose Resources > Port- Forwarding > Settings. The Port-Forwarding Settings page opens. 2. Click Automatically start port forwarding when a user signs on. Note The setting to automatically start port-forwarding resources does not affect the Local Web Proxy resource. To enable or disable automatically starting the Local Web Proxy, choose Resources > Web > Web Resources and change the Disable setting of the Default Web resource. 3. Click Save Settings. Nokia Secure Access System v3.3 New Features Guide 93

94 3 New Features for Nokia Secure Access System v3.1 You now select the users or groups of users for which you want to autostart specific resources. 4. From the Nokia Secure Access System configuration menu, choose User Configuration > User Group (or User) > Manage User Group (or Manage User). 5. Click the name of the User Group or User to which auto-starting resources will apply. 6. At the top of the screen, click the Portal tab. The Portal properties page for the selected user or user group opens. 7. Scroll down to the Port-Forwarding Resources section. 8. Configure the following settings for each port-forwarding resource:! Visible indicates whether or not the portal link for the port-forwarding resource is visible on the portal.! Autostart indicates whether or not the port-forwarding resource is automatically launched when the user signs on (assuming the user did not disable PFP auto-launch). For more information about user configuration of the autostart feature, see the next section, Overriding the Autostart Configuration Settings. 94 Nokia Secure Access System v3.3 New Features Guide

95 Note Resources that have not been configured by the administrator for autostart will not appear on the portal page. Overriding the Autostart Configuration Settings Although the administrator can configure specific port-forwarding resources to be automatically started, a user can override this from their portal preferences page, as the following screen shows. Note If a specific resource has been configured to start automatically and also to be invisible, and a user overrides this autostart option, the resource then becomes inaccessible to that user, unless they re-enable the autostart preference. Dual Authentication Nokia Secure Access System v3.1 provides a combined certificate and password authentication mechanism. This dual authentication method allows an enterprise to further protect network resources and implement more granular security policies. Dual authentication allows administrators to enforce PKI certificate-based authentication in addition to password-based authentication. This mechanism can also be configured to make certificate authentication optional, allowing for multiple levels of access using the same authentication method. One common scenario for the use of dual authentication is to issue certificate to enterpriseissued laptops and use dual authentication to distinguish whether users are logging in from their enterprise device, or from some other device. Note Users all have the group memberships set for password-based authentication. With dualauthentication, that user will additionally have group memberships configured for the additional (certificate-based) authentication method. Having these two methods to authenticate a user can be used to differentiate users who authenticate with a certificate from those who do not (when having a certificate is optional). Nokia Secure Access System v3.3 New Features Guide 95

96 3 New Features for Nokia Secure Access System v3.1 Configuring Dual Authentication This section contains information about the options and results for configuring dual authentication methods. To configure dual authentication: 1. Choose User Configuration > Authentication from the Nokia Secure Access System configuration menu. 2. Click the Password-Based authentication method for which you want to add a certificatebased authentication method. The General properties page for the password-based method opens. 3. Scroll down to the Additional Certificate Authentication box on this page. 4. Click the Enable additional certificate authentication using PKI authentication method. 5. Use the drop-down list to select the authentication and PKI method. The new configuration settings for password-based authentication are shown in the Additional Certificate Authentication dialog box. The radio buttons on the dialog box (located below the authentication method drop-down list) allow the administrator to control whether a certificate is required to authenticate, or is optional.! If a certificate is required, a user must successfully authenticate with both a username/ password AND a certificate that validates under the chosen PKI authentication method.! If certificate authentication is optional, the administrator may use groups to distinguish users that succeeded in authenticating with a certificate from those that did not, providing more or different access to users who authenticated with a certificate. The new configuration options for PKI authentication methods are shown below. These options control whether the PKI authentication method is available on the sign-on page for direct authentication to the gateway, or whether it is only available for use with passwordbased methods. The latter setting makes it possible to use dual authentication without 96 Nokia Secure Access System v3.3 New Features Guide

97 offering any direct certificate sign-on, thereby reducing possible confusion on the user s part. Configuring the Sign-On Message You can configure a message that will be displayed to the user when an authentication attempt fails. These messages can be localized, and can also contain HTML tags for a hyperlink to a publicly available page (for example, a page that contains details and information about how to obtain a client certificate). You can enter a separate message for failed password authentication, and another message for client certificate authentication failure. To configure the sign-on message: 1. Choose Global Properties > Appearance > Sign-on Page. 2. Type the desired message text in the Messages text box. 3. Click Save Settings. Single Sign-On Enhancements Previous releases of Nokia Secure Access System included a single sign-on feature that could store a user name and password pair for each user. These stored credentials could then be used as pass-through credentials for Web or file resources accessed through the gateway. However, in this scenario, the user was unable to set a single sign-on credential by any method other than logging into the gateway using an authentication method that was pass-through credential (PTC) enabled. Nokia Secure Access System v3.1 removes this limitation by providing a new Web resource, SetPTCCredentials, that allows the administrator to configure the single-sign-on credential option for a user. When the system administrator enables this feature, a new section is Nokia Secure Access System v3.3 New Features Guide 97

98 3 New Features for Nokia Secure Access System v3.1 automatically added to that user's portal preferences page. Each user can then set their single sign-on (or PTC) directly from their portal page. Note Some IIS Web servers require a domain name for NTLM-HTTP authentication. The optional Domain field on the Preferences page allows users to configure credentials for those sites. Nokia Secure Access System v3.1 also adds a new check box to the backend authorization screen to reset single sign-on credentials to the credentials used to access the current resource. The backend authorization screen appears when users attempt to connect to a Web server, FTP server, or Windows file server for which authentication credentials are not yet available. 98 Nokia Secure Access System v3.3 New Features Guide